The latter can't be enforced, but individual buyers can demand that for all known certs.

And I think you can currently get certs expiring later than the domain, which seems wrong to me. Is there a good justification for that?